I have read several recommendations of online backup services. These indeed sound attractive options as they provide a means for off-site backups, and I would expect they ensure your data is backuped thoroughly. However, I particularly dislike the thought of publishing my data online. Is it possible to use an online backup service while keeping your data private?

8 Answers
8

Pretty much every online service has encryption to prevent your documents being compromised if a server or hard drive goes missing (assuming they do all the back ups and fault tolerance their end).

However, if you can decrypt / get it using software, it pretty much always means that they would also be able to.

Your only real bet is to encrypt it yourself using something like Truecrypt, and backing up the encrypted version (just don't backup a plain text file with the encryption key!.. Can't tell you how many times I have seen people do that!)

If you really think that a place is dodgy and will read your items, perhaps they would not be the correct place for you. However, if you are like me and just over suspicious of everyone, encrypt or do not use these services!

Thanks for your answer. I have thought about the TrueCrypt solution. However, is it possible to do a synchronization with this solution without copying the whole image over and over again?
–
Dimitri C.Sep 8 '09 at 10:53

probably not, you could zip / rar individual files and put a password on them, but when I last looked, zip/rar security could be broken really easy.
–
wilhilSep 8 '09 at 11:00

A few sites allow you to provide your own seed that they say they use to encrypt the file before they even get it. You create a passkey file that you have to provide anytime you want to interact with your account. If they're doing what they say, they can't decrypt it without cracking the encryption algorithm.
–
mikezx6rSep 8 '09 at 11:59

If you don't trust the backup provider with your data, how can you trust them with the key to your data? (See Michael Borgwardt's answer.)
–
Randy OrrisonSep 8 '09 at 13:41

The only real safe way would be to use well-reviewed open source software (probably something rsync-based) and use an online service only as dumb repository for encrypted data.

The problem is that (as far as I'm aware) the dedicated backup services all require you to run a proprietary client. If they wanted your data, all they'd have to do is have that client run a keylogger to defeat any encryption you're doing yourself.

Unfortunately, those proprietary clients are much better than anything open source at making the backup process easy and unobtrusive.

"This should make syncing a truecrypt volume bearable". Are you sure? I would expect that it is necessary to do a full file comparison of the whole volume for rsync to determine what parts are actually modified.
–
Dimitri C.Sep 8 '09 at 11:53

1

I have a 50MB Truecrypt file that I sync with Dropbox. It seems to me that everytime I make changes in the TrueCrypt, it uploads the whole thing. Even though rsync attempts to do the right thing, binary files are likely to change everywhere, even with the smallest change
–
mikezx6rSep 8 '09 at 11:58

1

"binary files are likely to change everywhere": especially so with an encryption tool.
–
Dimitri C.Sep 8 '09 at 11:59

If you ensure that they provide an SSL encryption connection to their server and the data is encrypted the other end, it is a good start.

One great example of secured online backups is Mozy Online Backup. It uses a secured SSL connection from your computer to the backup server and stores the data encrypted their end. Very secure. It is also free up to 2GB. Beyond that, costs are very low. Of course, this is just one example.

I recently asked about online backups on server fault to a different end. It brought to light rsync.net which might be attractive to you. They don't require a client to use, although they do provide a lightweight agent that can automate backups for you. If you desire, you can opt for your own tools to back up to them using ftp/sftp/scp/http. They pretty much just provide you access to a remote file server, and let you decide on how to put the data there. The tool they provide though allows for extensive configuration of backups as well as email reporting. Again, the tool isn't required, but is worth checking out. We have had a lot of trouble with Mozy for our remote servers, and are about to start migrating over to rsync.net.

Jungle Disk will encrypt your data. However, it is a bit more complicated to set up than services like Mozy and Carbonite, and it can easily get more expensive depending upon how much data you wish to store.